Alyssa Miller

Hacker, Researcher, and Security Advocate

I’m here and I’m human

Hi, here I am. I am Alyssa. I am a 44-year old woman and a parent of three wonderful children. I am an executive leader at one of the oldest and best-known financial firms on Wall Street. I am a public speaker who travels internationally to share my work at large conferences with 10’s of thousands of people a year. I am an author, my first book is currently in production and will be in print soon. I am a soccer referee, and I officiate some of the highest levels of competition in the Big1G. I am currently enrolled in flight school and planning to get my Private Pilot Certificate. I am also transgender.

Alyssa in blue cast lighting with a wireless microphone on her cheek looking up to the right.

Now if you didn’t know me, you might read those first six sentences and be left feeling like “wow, this woman has really accomplished a lot in her life”. I’ve come to accept that yeah, that’s right, I really have. I’ve been very fortunate to have opportunities I could have never dreamed of. I’ve taken those opportunities and made the most out of them. I’ve used my privilege and wealth in many ways to give back to my community, to those who don’t enjoy such privilege, and ultimately to try and make our world a little better place. Everything our society asks of a person I feel I have done in some way.

Except there’s that last sentence in that first paragraph. The one that tells you how I don’t fit into society’s view of human beings. The one that some people get stuck on and will focus on despite the impressive list of accomplishments that precedes it. It’s the sentence that gets me subjected to bullying, discrimination, and ultimately hatred from the people around me (even when they’re perfect strangers). That word, transgender, has been used by politicians, supposedly devout religious people, and fascists as an excuse for their hatred and even violence toward people like me.

People will use that word to tell you that I’m some sexual deviant. They will say that I have an incurable mental illness. They will say that I just want to break into women’s spaces so I can spy on them. They will tell you that my intentions are to erase women and make them irrelevant. They will tell you that I’m so disgusting that I don’t deserve access to healthcare, that I shouldn’t even be able to make my own medical choices with my doctor. They’ll say that I shouldn’t be allowed to play sports, and many will even suggest I shouldn’t be allowed to go to a public bathroom because I’m such a monster.

Of course none of that is true. I’m not a sex offender of any fashion. I don’t have a mental illness (trust me, trans people are forced to undergo tons of mental evaluation to confirm this). I advocate for women’s rights every single day, including those that don’t directly impact me. I work to uplift all people and especially to level the playing field for those that are marginalized. And when I go to the bathroom, I can assure you my only goal is to pee, poop, wash my hands, and then go on with my day. Yet the narratives of how horrible I am persist and far too many people still believe them.

This is the reality of being transgender in America today. Over 150 bills have been proposed across 47 states in the first three months of 2022 that target transgender people specifically and seek to treat us differently than other Americans. That’s literally legalized discrimination. Transgender people have become the convenient target for political ideologies that love to bully others. We’re easy targets, easily the most vulnerable right now because any protections we have against discrimination in law are dubious at best. We’re not easily seen. Transgender people are estimated to only make up 1% of the population and not all of us are easily detectable when we’re in your midsts.

Picture of protesters holding signs that say protect trans kids

But today is transgender day of visibility. It is the one day a year that transgender people devote to being visible. To letting society know that we are humans just like you, we have the same human needs each of you do, we have all the good and bad traits that exist across the beautiful rainbow of our society and our people. Transgender women, Transgender men, Non-binary, and other gender non-conforming people are still people just like you. Yet so many in our world want to vilify us and see us erased from this planet. But it’s all based on that false narrative they’ve painted of who we are.

So today, I want you to see me as just one example of who transgender people really are. Not all are like me, not all have the same wants, needs, and desires as me. However, one thing we all universally want is to be treated with the same dignity and respect that would be afforded any other human being on this planet. I ask that you stand in solidarity with ALL HUMANS and recognize that no matter what color, what gender, what sexuality, what religion we come from, we’re all HUMANS and that is a pretty damned good reason to look in awe and just how wonderful each and every one of us is.

Security IS a Business Function

I hear and see a growing number of security leaders and executives talking about the job of security to “enable the business”. This is a promising sign that we’re getting better in security spaces about recognizing our true role and demonstrating our value to the organization. However, what I’ve also discovered is that when I ask probing questions of these leaders, many of them do not understand *how* security enables the business. They struggle to articulate just what it is about security that drives business success. I believe this is because we still look at security as separate from the business and that we need to approach security as a business function.

When we think about business support functions like our finance teams, our recruiting teams, our accounts payable/receivable teams, we’re able to clearly visualize the direct impact each of those makes (or at least should make) in driving business success. In most cases we can articulate how those are business functions in terms of their connection to generating revenue and maximizing bottom line income. When we think about security however, those lines are often harder for us to picture. Often, security is thought of as a technology function, a few steps removed from the core business and lacking the ability to directly impact the business. So how do we start to shift from that mindset?

Image depicting a large canyon between a man at a computer labeled security teams and a woman at a white board labeled "the business lines"

Moving beyond traditional thinking

Traditionally, when security practitioners have been forced to justify our value, the default line of thinking has been risk reduction. Security teams focus on the theoretical (albeit perhaps inevitable) impacts of breaches, attacks, etc. and we try to justify how our initiatives and processes reduce that risk. Then we try to quantify that by talking about the associated cost avoidance that comes from reducing instances of threats being realized. This approach is problematic because, for those on the business side, these discussions lack context. The whole concept is ethereal, that process of quantification is difficult and hard to defend under scrutiny. The result is that we fail to gain committed support from our peers in the executive suite (yes I said peers, as that is what they should be, but that’s a topic for a different article).

If my relatively young tenure leading the security strategy for the CRA division (CRA, Credit Ratings Agency) of my organization has taught me anything, it’s the necessity of connecting everything to business viability, revenue, and bottom-line profit. I too have spoken for years about then needs of security to enable the business. Working for a VAR, I understood it from the perspective of justifying security purchases. So I keyed in on that story line and how to motivate executives to spend money on the tools and processes we need. When I worked for a cloud native security company, I got to see it from the perspective of how security can enable and grow the DevSecOps culture that so many organizations seek to leverage. But now, working in a global Fortune 500 financial services org, I feel like I’ve finally been able wrap my 16 years of cybersecurity experience around the idea of how we truly connect the dots.

Thinking like a creditor

Imagine, for a moment, being a CISO and trying to demonstrate to a potential creditor, how your cyber security program positively impacts the creditworthiness of your organization. For many in the security space, this seems like an impossible or maybe even laughable objective. Maybe, if we do take it on, we fall back on our laurels of cost avoidance through risk reduction. How many creditors are going to be interested in that story line? I can assure you, very few. So ask yourself, how do we take it further?

When a creditor is looking at your organization, they want to know how likely it is you’ll be able to pay off your debts. Sure, avoiding unexpected and unplanned security expenses plays a part but in the grand scheme of things that’s a very small influence. We need to instead elevate our security program’s influence on the bigger picture. Creditors want to know where you are headed in terms of growth, investment, innovation, market placement. Where you are today actually is less relevant, where you’ve been even less still. Even where historical performance is used, it is done so as a predictor of how your organization will do in light of future challenges. Therefore, to credibly demonstrate the significant component our security programs represent in that bigger picture, we have to speak to those forward-looking concepts.

Finding the holy grail

This is essentially that “holy grail” of business enablement that is being discussed with greater frequency. To do this we as security leaders need to change our prioritization metrics. This means programs designed around less traditional priorities that are the ones that drive where the organization is headed:

Depiction of a hand shake with a word map in the hands with  words such as cooperate, welcome, connect, integrate, communicate, assist, bridge, etc.
  • Product Agility – How is your security program creating the capability to bring products and enhancements to the market faster. Removing friction is important but do you actually make frequency of deployments, reduction of work-in-progress, and product/service stability KPI’s for your security program? If not, you’ve completely missed the boat on what “shared responsibility” (a core tenant of DevSecOps culture) means.
  • Innovation – Consider your standards and policies, are they built to ensure security and be flexible to allow exceptions, or do they actually encourage your business to find new ways to accomplish the same security objective? The former is hard enough for many security programs to understand. The latter is where we need to get to but very few make a focus. Netflix years back introduced the idea of the “paved road”. Making the secure path the easy path to deployment encourages secure practices. But what about introducing a higher level of empowered accountability. Encouraging our business lines to achieve an acceptable level of security in a way that best fits their business objectives?
  • Business viability – There are plenty fail-fast stories out there. Heck Alphabet has built an empire on the concept. But even when we do it fast, failure can still be expensive. Have you ever considered how your security program can support greater viability in the marketplace for your organization’s products and services? Security practitioners often consider reputational risks, but how can we move beyond and address other viability risks. Security programs need to focus on how we can improve customer acquisition. Can we remove friction from the customer onboarding process? Can we leverage our security expertise to better support customer success initiatives? Our programs should also consider how we can support brand alignment. Wouldn’t we all love to work for a business where security was a credible component of the brand? These are key priorities that should shape how we grow our security program.
  • Profitability – Sure, you’re probably thinking well that’s obvious. If I can reduce the cost of my program, I can make us more profitable. Well, if you’re a CISO working on budget that’s likely already stretched thin, is that really the approach you want to take to prop up the bottom line? Instead, make driving cost efficiency in the business line your priority and be sure to track it and demonstrate it. Drawing a connection between a security initiatives and reduced hard-dollar costs in the business line is a gold nugget that gains you support not just from the Executive Suite but also from the business lines themselves. Look for alignment between tool capabilities and business compliance requirements. Even better, build security processes and projects that eliminate the need for extensive business processes.

We as security leaders have to start thinking differently. We cannot continue to silo ourselves from the business and then preach about how we’re going to enable the business. We can’t continue to demand that security is everyone’s responsibility while abdicating our responsibility to making our development pipelines more efficient, our business practices stronger, and our marketing objectives more strategic. We share in that too. If we do this, we can start to get our organizations collaborating with us, leveraging our capabilities and thinking of us not as a necessary cost center but rather a true function of the business.

Image of a red stamping of the word plagiarism

Plagiarism at EC-Council, an Open Response

Cases of plagiarism by cyber security certification company EC-Council have been documented for over a decade. As I wrote previously, I personally was one of many victims of this behavior recently. On June 27, 2021, I was contacted by email by the CEO of EC-Council, Jay Bavisi, to inform me that they had released a statement regarding the issue.

On the surface, the statement appears genuine and direct. However, I knew after sitting with it for some time I’d start to see the issues more clearly. So while I immediately shared it on social media, I did not offer any reaction. I’m ready now to openly share my thoughts on this statement.

A Lengthy Response

The statement from EC-Council is long and clearly took some considerable thought to assemble. It touches on some points of accountability and offers some transparency into how EC-Council plans to address the situation. So I’m going to go point by point, offering my reactions to each here.

Their explanation

Graphic with the greeting and first three paragraphs of the EC-Council statement.

In these first couple paragraphs, Mr. Bavisi attempts to address the silence from his organization. Remember this statement came a full week after I first reported the plagiarism. While I’m glad they addressed this issue, why it took a week to investigate and admit wrong-doing is a mystery. Clearly crisis communications are not EC-Council’s strong suit. Still, I’m glad to see he came prepared to face the music. Let’s see what they’ve learned.

What they learned

A graphic showing the first bullet from the EC-Council statement expressing disappointment about the events.

OK, this looks like a good start. This is the first time in the week since my report that EC-Council has used the words “plagiarism” and “sorry”. They go on to loosely explain it as a series of missteps. This is a bit of minimization considering these accusations can be found dating back to 2011. However, nice to see ECC finally admit culpability.

A graphic showing a bullet point from the ECC statement talking about anti-plagiarism tools

The second bullet and things are getting shady already. In their previous statement, ECC claimed their blogs were checked for plagiarism by “industry accepted software.” However, now they contradict that. Alright, so gaps happen. However, it’s the rest of this point that’s troublesome to me. Bavisi attempts to distance this situation from their certification and course content. Of course he does, because those are the primary sources of ECC’s revenue. They are the crown jewels and this situation has undermined their credibility in the market.

The problem is, there is a high profile case of plagiarism in ECC’s exam questions documented on the internet as well. So this becomes a divide and conquer maneuver. Bavisi is already attempting to treat this as a one-off event rather than consider the bigger picture of the culture at his organization.

Whatchya gonna do about it Jay?

Graphic of another bullet in which Jay Bavisi says he takes full responsibility

Um so what does this mean you take full responsibility? You’re the CEO, of course you do whether you like it or not. But this is a meaningless platitude if not met with action. Maybe your following bullets will help explain it more. The unreserved apology is nice, the second time contrition has been presented without caveat. That’s a far better response than the first statement you released.

Bullet saying the blog will no longer be managed by the marketing team

This is an interesting response. In most organizations, blogs such as ECC’s which serve a very specific purpose fall under marketing. It’s called content marketing for a reason. Your blog is setup to offer free materials in order to market your products. So could this be a shift in how ECC plans to leverage their blog? I’ll be staying tuned as that could be something potentially, dare I say, innovative?

Bullet stating that the blog will remain off-line and that they're establishing an editorial team.

This sounds like a great idea. Bring in people who are technical experts to create original content that is high-quality and of value to the community. I think Jay actually read my previous blog and is taking my suggestion on this. Value contribution is a principle I called for them to apply and this sounds like they’re moving in that direction. Well done!!

Bullet stating they are planning to hire an editor with experience in technology and security

Any of my skilled writer friends need a job? I know someone who’s hiring. In all seriousness though, this is a good move and a good investment. Time to bring in someone that knows what they’re doing. Someone connected with the industry and with journalistic practices would be a big improvement.

Graphic of two bullet points that seem to reiterate the previous two bullets

I’m tackling these two together because they seem to go together and express pretty much the same thing I got from the previous two points. These are good moves. An advisory board, and hiring subject matter experts. In the past ECC has relied on free contributions from whoever they could get to provide them with such content. That’s not a recipe for getting the best and brightest. Pay people for their knowledge. That’s how you get quality work!

Bullet stating they'll hire diverse people

Yes you should be hiring across a diverse set of candidates. Your writing pool should represent the same diversity that is in the community you serve. Thinking this is a callback to the situation in April.

Bullet stating they're creating a VLOG to help avoid plagiarism

A Vlog is an interesting approach. However, Jay, be aware that this will not “ensure that plagiarism won’t happen again”. It is possible to plagiarize via spoken word as well. However, it is also harder to find. So, I truly hope that you don’t think just because it’s live or recorded content being spoken on video means that it can’t be plagiarized material. Tread lightly on this one.

Bullet that asks victims of their plagiarism to reach out to them.

I’m not sure what this is asking. Jay, are you asking for all currently identified victims of the plagiarism to contact you at this email? Are you offering compensation or something similar for the works your organization stole and profited from? Or are you looking for further victims to make themselves known? If the latter, I’d say with how trivial it was for us to find additional plagiarized content, perhaps your team should be doing that work. Especially now that the blog is offline so searching it requires use of the WayBack Machine.

Bullet stating they hold themselves to rigorous standards

Oh cool, the rest of EC-Council too? So does that mean you’re making improvements in exam question authoring as well? You need to come through on this promise. I’m sure your missteps so far this year have had an impact on your bottom line. Don’t want anymore of that.

Bullet announcing the resignation of a Marketing Executive

Well, um, what? Jay, I thought you were taking full responsibility? Also, how senior was this marketing executive if they weren’t even listed on the executive team page on your website? This one bothers me. Not that there wasn’t good reason for this person to resign. However, it screams of scapegoat-ism. It ignores that the problem goes higher. Given how long this has been going on and the number of issues (not just plagiarism) at play, clearly there is a cultural shift needed. What is the rest of your executive team doing to make real change happen Jay?

Wrapping things up

Graphic with the concluding five paragraphs of the statement

So the conclusion begins with another apology and Jay again saying he takes full responsibility. Still wondering about that executive marketing leader. Then he announces the upcoming release of their diversity report that they committed to back in April/May. Clearly he wants us all to know ECC is trying to get better. Fair.

The third paragraph is wonderful but perhaps should have appeared early in this statement. Jay actually acknowledging (I believe for the first time ever) that there has been a lengthy history of this behavior from ECC. That’s important because, as I’m sure Jay with his law degree knows, this puts him legally on the hook now. If things don’t get better after this, he has no plausible deniability.

The next statement is nice if it isn’t platitude. Jay reaching out to the community for their thoughts on what ECC can do to get better. Yes, that’s a great invitation, but I hope there’s some substance behind that. I also hope this isn’t a lazy attempt at finding your issues without doing the hard work of introspection. Interacting with and hearing from your community is important, so maybe a good step? We’ll see.

The verdict

Well as I said when I shared this on social media, some good info and some problematic statements. I’m not convinced at this point. Given ECC’s history of this kind of behavior they’ve got a long road to travel. From the responses I’ve seen privately and publicly on social media, it seems much of the industry feels the same way.

I don’t wish for the failure of EC-Council. I don’t think that would be good for our community in long run. However, my opinion could be changed if EC-Council themselves continue to cause damage like this. So for me for now, I’ll be keeping them at arm’s length. They need to show me they’re actually changing. That they’ve learned it’s ok to make profits but that those profits should come from building up the security community not draining from it.

Two intersecting road signs saying Fake and Original

Ethics in Cybersecurity Marketing – Principles of Value Contribution

Ethics in Cybersecurity Marketing is a topic of hot debate among many security practitioners. Cybersecurity vendors are often criticized for how the marketing campaigns they deploy, the promises they make and the practices they use to reach members of the community.

Recently, the cybersecurity community (and I in particular) was the victim of unethical content marketing on the part of an organization we should be able to trust. EC-Council was recently discovered to be publishing blogs that were, in the opinion of a lawyer I spoke to, plagiarized from security and technology experts. One such work was my blog, “What is a Business Information Security Officer (BISO)”. What follows is a description of the events and what I believe needs to be done to correct this horrific trend.

BISO - Business Information Security Officer, white text on black background

The Saga Begins

The recent revelation with EC-Council began on Sunday, June 20, 2021. While performing a Google search to pull the Featured Snippet that had previously been attributed to my BISO blog, I discovered it was no longer connected to my blog. This is normal. Google updates their featured snippets all the time based on content they crawl from the web. However, what caught my eye was that the text of the snippet appeared to be the content from my blog but attributed to a different site.

Looking deeper I found that it was attributed to a blog on the EC-Council website. The preview text, defining what a BISO is, was almost verbatim the same as my blog with only a couple words changed. I went and reviewed the blog in detail and discovered it was a direct copy of my blog, re-worded in many places to disguise where the content had come from. Additionally, a quote from another technology professional (which I would later discover was taken from another site) and some marketing fluff for one of their certifications had been added to the end.

Notification to EC-Council and Social Media

I was hurt, I was angry, I also felt betrayed. You see, in April of 2021, I worked with EC-Council to help them address issues of misogyny and sexism that had come to light. Despite many who expressed a bad feeling about the organization, I tried to give them the benefit of the doubt and a chance to change their ways. Seeing my work plagiarized in this way was another sign to me of the disrespect EC-Council shows to the community they purport to serve. Additionally, by doing this, they had pulled traffic away from my blog where I also seek to foster interest from those looking to hire me as a public speaker.

Google search results showing EC-Council copied blog #1 and original #2
The Google search results showing the previews of my blog and the stolen content on Sunday, June 20.

I immediately sent messages via both LinkedIn and email to EC-Council’s CEO, Jay Bavisi. I also began collecting evidence and posted links to Twitter and LinkedIn to get others’ opinions of what had occurred. This was all early afternoon, Central Time, on Sunday.

The social media posts blew up. Comments, retweets, reshares, and many direct messages expressing anger with EC-Council, and support for my efforts to call out their behavior. At 5:20PM CDT, Mr. Bavisi responded to me indicating that they would investigate. At 8:33PM he responded again stating they would take down the blog while they continued investigating. At 9:35PM I was finally able to confirm that the blog had been removed from their site.

A Pattern of Behavior

For the next 48 hours the only activity was the ongoing discussion on social media. I heard nothing from EC-Council. However, I was informed that my story had been added to a growing list of misdeeds by EC-Council that have been captured on the website attrition.org. Then I received a reply from another member of the Twitter community who had found another instance of an EC-Council blog that appeared to be plagiarized from another source. Over the course of the next hour, I and this individual identified three more blogs, for a total of five blogs, that appeared to be works of plagiarism as well. I reached out to the owners of the original works and was able to confirm with at least 2 of them that they had not provided EC-Council with permission to use and modify their work.

How did we find them? Well it was quite easy honestly. You see, despite efforts to change the wording in an attempt to obfuscate where the content came from, there are always crucial key terms or phrases that can’t really be changed. So all it took was selecting a blog from the EC-Council blog site, finding a few of those key terms or phrases, and then plugging them into Google. Typically the source content showed up somewhere in the first five results. A quick read of the content side-by-side confirmed the overwhelming similarities. From there the process was the same. Save documentation, confirm it was logged in the WayBack Machine at archive.org and then share to social media.

You can find copies of the screenshots taken of each blog for your own comparison in this GitHub repository.

Goodbye EC-Council Blog

Sometime after 9:35PM CDT on Tuesday (when I contacted Mr. Bavisi again regarding the additional evidence), the EC-Council blog website was taken off-line in its entirety. Requests to the blog site were redirected to their home page. In the very early hours of Wednesday morning, EC-Council published a formal statement.

EC-Council Statement announcing the removal of their blog and the publishing of non-original works

It was a complete word salad of legalese. The only mention of the term plagiarism was them insisting they use anti-plagiarism tools. Instead, they referred to the blogs as lacking proper source citation and “closely aligned” in format. Even an apology offered at the very end was full of caveats to ensure there was no admission of actual guilt. As of the writing of this blog, that is where things stand. No personal apologies have been issued, and no other contact or acknowledgement on the part of EC-Council has occurred.

Damage to the Community

The point of this blog isn’t to attack EC-Council however, it’s to use this example to highlight a bigger issue that is growing in the cybersecurity space. Unethical marketing behaviors such as this have sown considerable distrust between security practitioners and the vendors we rely on to supply the defensive tooling and education we need. In EC-Council’s case, they are an organization that serves to educate and certify the skills of cybersecurity professionals. Yet, despite including the word “ethical” in the title of one of their most well-known certifications, their marketing behavior fails to live up.

Not only have actions like this crushed the critical trust that the cybersecurity industry relies on, it also hurts content creators like me who try to share our knowledge to help educate others. The message from this incident is that content creators have to go to ridiculous lengths just to defend our rights. Otherwise, when companies choose to steal our content for their own commercial gains, it’s hard to locate and counteract.

Content Marketing Requires Investment

Based on my time spent creating content for content marketing campaigns, I have a theory that I believe is the likely cause of the issue at EC-Council. All too often, content marketing will hire professional writers who are not domain experts to create new online content. This is ok if it is done correctly. By that I mean the writers act in a ghost writer capacity. They sit down with proven experts to gain enough knowledge and unique perspective to write content on that expert’s behalf. Additionally, they are provided with research tools to further gather enough information to write a quality piece.

The problem manifests when these writers are given aggressive timelines and little access to expertise and research materials. When they’re forced to simply Google for a search term that they want to target, and use the results to craft new content. This creates a situation where the temptation is great to simply leverage someone else’s work to knock out the content quickly.

Organizations need to understand that hiring non-expert professional writers is not a way to cut costs. They should be hired for their skill in writing and then empowered and enabled with the necessary support. Trying to hire professional writers without domain expertise and thinking they can simply learn from Google searches is a recipe for this kind of disaster. Organizations need to support their content marketing efforts with real investment in quality and expertise. There simply is no other way.

Content Requires Stringent QA

If you are going to publish content to your site, that means you have a duty to other content creators. Your duty is that you must ensure your authors aren’t posting plagiarized material. Simply running an automated tool clearly isn’t enough. As described above, despite EC-Council’s claims that they ran a tool, the effort to find plagiarized material was quite trivial.

You need humans that review your blogs. You need to not only ensure accuracy and valuable content, but also that it wasn’t stolen. There simply is no replacement for a human review that can inherently detect when the voicing of a piece doesn’t match that of the author.

Further, organizations need to have a culture with core values and practices that reject such unethical behaviors. If your culture is lax or uncaring, patterns of behaviors like those shown above will inevitably emerge. Organizations need to instill accountability and expect excellence from their employees. Engage with them, support them, and work with them so issues like these cannot persist.

Looking to the Future

I have no clue where EC-Council will go from here. I have no interest in being involved in anyway with their organization. Not even their CISO Mag publication, or their Hacker Halted series of conferences. However, for other organizations out there, take a good hard look at your content marketing practices. Win over customers and advocates for your products and services by providing meaningful and valuable contributions through your content. Offer unique insights, share new perspectives, or highlight practical applications of your solutions to real cyber security problems. Don’t steal and regurgitate the original and thoughtful work of others as a way to capitalize on others’ expertise.

We need trust among the members of our community. Its the only way we can gain the trust of the businesses we’re trying to defend. It’s time that cybersecurity vendors mesh profits and ethical behavior into a singular business vision. That is the path forward that we need.

BISO - Business Information Security Officer, white text on black background

What is a Business Information Security Officer (BISO)?

A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.

The BISO role is becoming more common in larger organizations, especially those with more mature security programs. BISOs translate the goals and policies of the centralized security function of the corporation down to specific practices and procedures within the business lines. Additionally the BISO is responsible for providing business context back to the CISO’s organization to help shape future direction.

Why do organizations have BISOs?

BISO’s work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements. The BISO ensures that those objectives are met with processes and procedures tailored to best fit the unique inner-workings of the division. This often includes connecting security initiatives to compliance, audit, and regulatory requirements.

Having a senior security leader dedicated to the business unit creates an a single owner for the division’s security strategy. Programs like vulnerability management, compliance, and application security are typically owned and driven by the BISO. Additionally, the BISO serves as a consultative resource for technology and development teams for security related issues. All of this helps build credibility for security within the business unit and create a culture that recognizes that security is everyone’s job.

An organization chart with human clip art images

The BISO is also responsible for providing upward visibility into the security posture of the division. In many organizations, they are called upon to report the division’s state of security not just to the CISO but to the Executive Committee (EC) and Board of Directors as well. The BISO therefore must have a solid plan for measuring improvement and ensuring appropriate goals are established and tracked.

What are qualities of a good BISO?

Desirable characteristics for BISOs are very similar to that of a CISO. There are four key characteristics that a successful BISO should possess:

  • Broad security knowledge
  • Executive presence
  • Influencer leadership
  • Strategic thinking

Broad security knowledge

As you’d likely expect for a security leader, a BISO should possess a great deal of proficiency in the technical aspects of cyber security. The ideal person possesses a wide breadth of experience across the various domains. However, depending on the scope and make-up of the business unit, it is often beneficial to find someone that has more focused expertise with key strategic technologies. For instance, if they’ll be leading a division that is going through a focused cloud transformation, it would be beneficial for the BISO to have particular expertise in cloud native technologies.

Picture of a busy security operations center.

What is important to remember from a skills and experience perspective is that the BISO will be the primary owner of the security strategy for the division. Therefore, they need to be able to speak credibly to each of the technology domains while also working with subject matter experts when depth of expertise is needed.

Executive Presence

Since the BISO directs the security initiatives within the division or business unit, they must communicate up the leadership structure. Effectively communicating the risk and security posture of their organization to executives and the Board of Directors is a crucial skillset. This means rising above the technical implications and instead speaking in the context of business objectives and risks that are impacted.

Woman speaking at the head of a table during a board meeting.

In some organizations where the BISO is aligned to smaller units of the business, there may be less opportunity to communicate with the EC and Board. However, this does not make executive presence less important. The BISO still needs to be able to speak to business impacts and understand how their message is received at the highest levels of leadership.

Influencer leadership

While BISOs typically report through the business leadership structure, that doesn’t mean they operate in a position of authority over the technology and business groups with whom they’ll work. The BISO functions as the bridge between the business and the corporate security function. Therefore they need to be able to influence both organizations effectively without formal authority.

In the end, influencing actions by speaking to the motivations of each audience demonstrates stronger leadership prowess than ruling by edict. For the BISO it’s an absolute necessity. The best leaders clearly communicate the value of the initiatives they propose to those who will be asked to adopt them. A BISO’s worth lies in empathizing with their audience and addressing their concerns credibly and effectively.

Strategic thinking

The successful BISO is one who doesn’t get mired in the technical details. Instead they see the big picture, how all the various elements of the business and security strategy work together. They look at their work in terms of a long term vision. Individual tactical elements and mid-level initiatives all connect in some way to that vision.

That ability to see things from the higher level grounds the BISO to meeting their core objectives. They unite security strategy with business objectives to continuously improve the security posture rather than chasing a singular objective.

An Emerging Role

The BISO role is still very new. Even for the select organizations that have embraced the role, how they structure the role can vary. In the end, the goals are the same however. The BISO is there to ensure that security initiatives are implemented with business context in mind. The BISO advocates for security within the division and connects security to business enablement. BISOs are a valuable resource that will likely continue to be established within an increasing number of organizations.

Alyssa on-stage at RSA

Don’t Tap That Mic

Top 1o tips for working with production crews as a speaker

A colleague and I were recently talking about the bad habits we’ve seen from speakers at various conferences. This led to a deeper discussion on the importance of the production teams at these events. I think for many speakers the production teams are taken for granted. Many speakers that I’ve observed behave in ways that make it more difficult for production to do their job.

The Speaker’s Biggest Ally, Until You Screw it Up

As a former Front-of-House engineer, I have a special appreciation (as well as insight) into the world of the production crew. Any member of the production team that takes their job seriously will likely agree that the core value of their job is to make the talent look and sound their best. They are there to ensure the success of the event and that all begins with the talent. Whether it’s a speaker, a band, or actors in a play, we spend a lot of money on lights, audio reinforcement and staging to achieve this goal. Ultimately, even in the most hostile room, they are the ones that are on your side, unless you give them reason not to be.

This is why it is disturbing to me when I see speakers who behave in ways that frustrate or work against the production team’s efforts. I don’t think it’s typically because the speakers are jerks, they’re just unaware. Unfortunately, while no production staff will ever work against the speaker, if you refuse to work with them, there are things they’d like to do for you that they simply can’t. If you insist on doing things your way, that may break the methodology they follow and as a result, your presentation may suffer. So I hope sharing my perspectives from both production and speaking sides of this equation will be helpful.

1. Know your venue

One of the primary tips I always share with speakers is show up at your venue ahead of time, if possible the day before, and get a lay of the land. Check out where the stage is, how big it is, where projection is happening and how. Is it front projected, rear projected, and LED screen? Each of these can affect how you move and present from stage. Even if the event provides you a room/stage layout, it’s important to see it in person first.

As an example of why this is important, I’ll share a personal experience. I was recently speaking at a very large conference. Based on all the info I was provided before the event, I was expecting to be in a small breakout room with a single front-projected screen and a smaller stage. However, the day before my presentation, I stopped by the room and discovered the stage was fairly large, had a massive LED screen with multiple Picture-in-Picture frames that would have my presentation, lots of stage lighting, and great audio system. In short, it was the equivalent of keynote stage. As a result, I was able to work with the production crew to change the approach to my presentation a little so I could take full advantage of what was a very exciting stage.

2. Introduce Yourself to Production

Going along with the topic of knowing your venue, get to know the production team in advance. Find someone during a break between speakers and introduce yourself. Personally, my intro is usually something like this: “Hi I’m Alyssa and I’m speaking on this stage tomorrow, is there anything you think I should know?” This is a great way to not only introduce yourself but also show the production team that you are a killer professional and ready to work with them. You’ve now told them you’re open to their direction and ideas on how to make your talk a success.

Production teams very much appreciate a speaker who does this. Whether it’s a massive keynote stage or a small 50 person break-out, they know that venue better than you. They’ve watched speakers work in there and they know what mistakes or issues can come up. They’ll arm you with information that will help you be your best, so listen up and work cooperatively with them.

3. Prepare for What Can Go Wrong With Your Presentation

When you introduce yourself as I suggest, the smart production team will not only answer your question but ask you in return what you want them to know. Think proactively. Does your presentation have a video or audio? Make sure they know this and have a way to get that audio to their system. Do you have special needs for the layout of the stage? Now is the time to ask if any modifications can be made. Be ready to be told no. Sometimes there are just things that seem like they should be easy from your perspective but there may be logistical, safety, or even contractual reasons why they cannot accommodate your request.

Before you even go to your venue, be aware of what the technical challenges might be in your presentation. Production crews will do their best to work with you given the tools they have at hand, but they need to know what’s coming. This can pay dividends during your presentation. At a recent conference, I had a video that played as part of my presentation. All presentations were pre-loaded on their systems and videos had to be fired separate of the Power Point by the production team. I had a discussion with the production team about my video. As a result, they knew it was coming. This paid off because I ended up cueing them to run the video a slide too early. Instead of letting me stand there like a dork with no video running, they flexed, played the video, and let me play catchup with my slides. As a result it was very smooth and no one in the audience was any the wiser.

4. Use Your Microphone Properly

This is a pet peeve of mine and I think for most production team members. Speakers, you need to understand how different microphones are designed to work and use them appropriately. You also need to understand that the available equipment is what’s available. It’s not an insult to you if you don’t get the kind of microphone you want. Unless you’re booking a $20K speaking gig with a rider that specifies a specific microphone, get over it if you have to use a wired handheld instead of the wireless lavalier (Lav) that most speakers appreciate. So let’s break this down by microphone type.

The Handheld Mic

We all know the hand held mic. Whether corded or wireless, these are easily recognizable. However, for many speakers, myself included, they can be inhibitive to our speaking style. However, sometimes that’s just want you have and as a stage performer (yes that is what you are as a speaker) you must be flexible and adapt.

Picture of a wireless handheld microphone
Handheld microphones are the most common and easily recognized microphones

The key thing with handheld mics, whether wired or a wireless transmitter, is that they’re designed to be held close to your mouth. Like really close. Not so close that your lips touch them (that’s just gross) but if you hold it down at your chest level, you’re fighting against the audio engineer. It’s now impossible for them to make you heard without running into feedback problems. So hold the mic close to your mouth if it’s a hand held. Be cognizant that if you take the mic away from your mouth to gesture, no one can hear you anymore. So yeah, you’ve got to keep that mic hand in a pretty static position.

The Lavalier (Lapel or LAV Mic)

Most speaker’s favorite is the lavalier mic. This is that little clip on mic that allows you to have your hands completely free to do anything else. However, you’ve got to be aware as a speaker how these wonderful little inventions work. Unlike the handheld, these are not designed to be held close to your mouth, in fact they’re not designed to be held at all, so don’t! Work with the production crew to place the mic in an appropriate place and just leave it there. I’ve seen speakers who want to hold it in their fingers and talk directly into it. This makes your audio engineer’s life hell and causes you peak or clip, which sounds bad and can actually damage the audio system.

Lavalier microphone and transmitter pack.
Lavalier (Lav) mics are great for allowing a speaker to be hands free but you need to be careful.

Also be aware of your gestures when wearing a lavalier mic. They’re placed on your clothes in a strategic place by or at the recommendation of your audio crew. However, if you bump or catch the mic while gesturing you can knock it loose which can affect your volume level, create large transient sounds that can damage the audio system, or you can even damage the microphone itself. So while it’s great to be completely hands free, you still need to be aware of where that microphone is and function accordingly.

The Headset Boom

Growing in popularity, especially with some speakers, is the the headset boom. These are those mics that hang from one or both ears, or maybe an overhead strap, and place the mic nice and close to your mouth. Look at images from large keynote addresses and you’ll see these in use a lot. The big advantage of this design is that there is far less chance of you knocking the mic or having your clothes move in a way that affects it’s positioning.

Tan colored head set micropphone
Headset boom microphones are becoming increasingly popular with speakers.

These mics are obviously designed to be very close to your mouth. However, they operate from the side of your mouth in many cases and are not designed for direct input. In other words, they should not be handheld and spoken into directly as this will again cause issues with peak levels and a very frustrated audio engineer. Once your production person has helped you place the mic, again leave it alone. Don’t adjust it or move it around. They put it where it will work best, trust in their abilities or ask them if you think it needs to be moved for your comfort. Finally, sometimes these mics can be challenging in that if they’re not well secured (sometimes with tape) they can move around. This is especially true if you are very animated and moving about. So work with the production team, particularly if you’re a big mover, to make sure the mic is secure and stable.

For mics of any Type

As the title of this blog says, do not, under any circumstances, tap, hit, or blow into the mic. These actions can damage the delicate pickup in the microphone and can cause destructive audio transients that are harmful to the rest of the downstream audio equipment. If you want to see if a mic is hot, speak into it. If you feel self-conscious about speaking into it (you are a speaker, right?) then simply click your tongue or make another audible noise. In my somewhat humble opinion, nothing says amateur quite like a speaker who abuses a microphone to check if it is hot. As a former audio engineer, nothing was more irritating than this behavior. No audio engineer wants to watch their expensive equipment being abused. Don’t even get me started with the idiotic idea of “drop the mic”. If you don’t have thousands of dollars to replace it, treat it like what it is, someone else’s property that you’re borrowing.

5. Trust Your Volume To the Audio Engineer

I see this one way to often with unskilled speakers. They grab a handheld mic, hold it properly (close to their mouths) begin speaking and freak out about how loud it sounds. They then immediately hold it at chest level and now the audio engineer has to chase their levels the rest of the way just to make them barely audible to the audience. The moral of this story, use proper mic technique and let the audio engineer adjust the volume at their end. Sometimes what seems too loud to you is actually perfect for the audience to hear you. If it’s too loud, the engineer will adjust the levels, that’s their job. But don’t make their job harder by changing the input level and not giving them enough to work with. If there’s feedback, count on them to fix that too. Do the little things like not walking in front of the speakers, but otherwise leave it up to them to fix the feedback. It’s likely not a volume but rather an Equalizer problem anyway.

6. Plan Your Wardrobe

This is one of those items that speakers often get wrong. When we think about stage wardrobe, most speakers think in terms of dressing for impact. That’s great. You need to look good for your audience and you want to wear something that fits with the setting and will make you memorable. However, there is a production component that needs to be considered as well. Plan your wardrobe to make the production team’s job of positioning your microphone easy.

For instance, will you be using a lavalier mic? If so, plan for where that mic go. The goal is to get the lav mic as close to center under you chin as possible. Wearing a v-neck or button down shirt makes this really easy. Even crew necks on t-shirts or sweaters work pretty well. Avoid shirts or blouses that have ruffles or other loose material around the neckline. Don’t plan to hang a lav mic on the lanyard from your even badge. Honestly you shouldn’t be wearing a badge while you’re up speaking anyway.

Also be aware of your jewelry. If you’re using a lav mic, having a dangling necklace that with make noise and contact the microphone is problematic. Dangling earrings can be of particular issue if you’re using a headset mic. Finally, be aware that with wireless headset and lav mics, you also need a place for the transmitter pack to go. This can be particularly problematic when wearing a dress. Without pockets or a waist band, I’ve seen women have to clip the pack to the back of their neckline. Trust me, that is not comfortable when you’re speaking. So think strategically about what you wear in terms of accommodating production needs in addition to your visual impact goals.

7. Don’t Lie in Your Sound Check

A common joke among audio engineers is that everyone lies in sound check. The audio engineer asks the talent to speak so they can get levels adjusted and the speaker comes out with a very timid and quiet voice. Then the speaker walks on stage and opens the talk with a boisterous, energetic greeting. Now the engineer is scrambling to re-adjust the levels to keep your mic from clipping or worse yet damaging their gear.

We don’t always get the opportunity to sound check as speakers. Smaller breakout stages might not afford us this opportunity. But when you do find that situation where you have a moment to help the engineer prepare audio levels, try to tell the truth. Get yourself in character for a moment and work to replicate the level of volume and energy that you typically use on stage. This makes their job easier and now you look (or more importantly, sound) your very best.

8. Early is On-time, On-Time is Late

Save your production crew, and yourself, some stress and anxiety (we all have enough of that) and be early to your presentation. Coming in two minutes before your start time is a terrible way to start or build the relationship with your production team. If they’re sweating whether the next speaker is going to arrive for their slot, they won’t be in the best of moods when you finally come strutting in. If they’re not in good moods, and if you’re scrambling at the last minute, that’s an equation for a terrible speaking experience. These are professionals you’re dealing with but they’re also human.

They have a job to keep things on time as well. So when a speaker walks in for their 2:00PM session at 1:59PM, that creates problems. It’s almost a guarantee you will not be able to get your computer hooked up, video working, get mic’ed up, get announced, and start on time at 2:00PM. They can pull out a lot of stops but they are not miracle workers. You need to do your part as a professional to help the event you’re representing create a good experience for the attendees. Remember them? They’re the ones paying to support the event, they’re the ones that expect to get something out of the experience. In short they’re the ones that matter the most! No one, not even the most world renowned keynote speaker, is bigger than the event itself. Don’t fall into that line of narcissistic thinking.

9. Know Your Rig

Unless you’re a largely sought after keynote speaker, you’re likely using your own computer for a lot of your speaking engagements. Spend some time getting to know how it functions technically. Know how to separate the audio from the HDMI output. Most situations have a separate aux cable for audio. Know how to leverage duplicated displays versus extended displays. Be aware of what video and audio outputs you computer has and get a collection of the necessary adapters to cover other options. Don’t count on the AV team to have these for you.

Ultimately, the production crew are highly skilled individuals who know audio, lighting, and a whole host of other elements that go into producing an event. More often than not however, they are not computer or projector experts. They’ll do everything they can to help you out, but the more knowledge you have of your own hardware and software, and how to configure it when things go wrong, the better chance you’ll have of being successful.

10. Be Respectful

I feel like this should go without saying but I’ll say it anyway. The production team can be your very best friends on your speaking engagement. They want to ensure your success but they do have jobs to do. Be mindful. If it’s a big production team and they’re wearing headsets, there are conversations going on in their ears all the time. They may have to interrupt you to respond to someone who is calling them, unaware that they are talking to you. Additionally, trying to have a conversation with the audio engineer while there is someone active on stage is a high risk activity. They may ask you to come back during a break as they need to focus on that speaker. Understand that especially in breakout rooms where you may only have one production person, they’re being asked to fill a lot of roles at once (audio, visual, stage manager, etc.).

In that vein, try to have some empathy for these folks that see hundreds of speakers a month. Things that highly urgent to you are probably pretty routine to them. It doesn’t mean they have a right to treat you poorly, but when they don’t react with the same level of urgency you’re expecting, understand that may be why. I might simply be they’ve got a plan to address the problem and it truly isn’t as big an issue as it seems.

So be a team player. Remember the production team is there to ensure your success and thereby the overall success of the event. If you work against them, you’ll all have a bad day. However, if you’re cooperative and professional in your approach, they’ll help ensure you look like the superstar that you are!!

Three women at a table, possibly a job interview

A Promotions Gap

Are expectations in promotion helping fuel the “Skills Gap”

Search job postings and you’ll find there are plenty of companies bragging about how they invest in their people. Internally, organizations like to boast about having a culture of promoting from within. Indeed, there are no shortage of articles touting the value of internal promotions processes. Yet, I must wonder if these words translate into action. While I’m still gathering the data in my surveys, some respondents have also reached out to me directly to share their stories. Quite a few tell me about how difficult it is to transition internally into security-related roles.

Initially, this might seem anecdotal. Without analyzing objective data, it can be dangerous to draw conclusions. However, the stories I hear are numerous and I have also witnessed and experienced similar situations. How many of these companies that claim to prioritize developing and promoting their own people, actually walk that walk? I’m beginning to believe the percentages aren’t that good.

What it means to promote from within

Establishing a culture of promoting from within requires more than mere words. In fact, failing to credibly back up such claims with actions can be detrimental to employee engagement. It’s more than simply having a process for employees to internally search and apply for jobs. It requires a commitment to your people. This commitment requires a few things:

  • Truly investing in the skills development of your people
  • Changing the way you evaluate candidates for available opportunities
  • Shedding the idea of “critical” roles that lead to external hiring

Over my 25 years in professional roles, I’ve seen the good and the bad. I’ve watched companies provide training with no clearly defined path for career advancement. I’ve experienced hiring searches that failed to accurately assess the potential of internal candidates. I’ve even been witness to hiring practices that deemed a role too “critical” to take a chance on elevating an internal employee. These are mistakes and they lead to long timelines to fill crucial positions while also devaluing existing employees.

Quote by Richard Branson about taking chances on people and promoting from within.
Investing in employee development

I’ll start with the concept I believe is probably most easily understood. I also believe, again based only experience and hearsay, that it is the one that gets the most effort. Employee development is a concept that’s gotten increased attention in the last decade or so. More and more, organizations are coming to understand the business value of developing their employees.

Training seems to be one of the key areas that gets the focus when we talk employee development. Many organizations have formal training programs, invest in e-learning technologies, and some even set aside specific per-employee training budgets. This is great, however it only scratches the surface of what is necessary. To truly develop your employees means preparing them for their next role and providing a clear vision of what that next role can be and how they can get there.

This requires active leadership participation. It requires the organization first and foremost to have mature job descriptions and provide clear expectations. Human Resources professionals can often tell you stories of struggling to get support for this foundational element. Taking the next step of succession planning is also crucial. How will a role be filled when it becomes vacant? Leaders should constantly be working to identify “who’s next”. Ultimately, that succession planning then has to lead to action. Leaders need to be grooming those planned successors. Empowering employees through challenging assignments that provide visibility into key aspects of what that next role entails. Sadly these last two steps are often neglected or avoided all together.

So succession planning and development requires us to identify candidates by potential. That leads into the second point, we need to think about our people and how they fit open roles in a different way.

Evaluate talent differently

This is a concept that from my experience needs a lot of attention in most organizations. If an company is looking to fill a role, how they assess the internal candidates needs a unique approach. Far too the same experience and skills based lens is used for both internal and external candidates, but that just doesn’t work. When evaluating external candidates, a reasonable mix of experience that matches the job role is expected. For instance, the expectation that a candidate for a senior manager or director role has previous “managing managers” experience. However, the same bar cannot be used for internal candidates if you’re invested in developing your people.

Internal candidates are often direct reports of the role being filled or moving into that role from another area of the business. So it can’t be expected that they’ll have the experience of someone whose worked that role before. Organizations need to assess internal candidates based on potential. But how does the leadership team assess potential. The Harvard Business Review published a terrific article on this in 2017. The basic premise is leaders need to be constantly aware of those employees whose performance consistently elevates that of those around them. It’s a combination of ability, drive, and social skills that should be prioritized above past experience or demonstrated role-specific skills.

Unfortunately from the stories I’ve heard, my own experiences, and indeed the glut of open security-related leadership roles currently on job boards, companies are failing in this crucial aspect. And it also leads to the third point.

No role is THAT critical

I’ve watched numerous internal security candidates get rejected or ignored and jobs posted externally because the role was deemed “too crucial”. In particular within security, there seems to be a belief that certain roles are so important that the organization must find a “step-in” candidate (someone who’s done it before and can step in and run with things day one). The problem is this prolongs the candidate search in two ways. First, it eliminates the majority of high performing internal candidates who could be very successful in the role. Second, it shrinks the available pool of external candidates since, as studies show, the majority of job seekers are looking for new challenges. Few are going to be attracted to a job doing what they’ve already been doing already.

Promoting from within requires the understanding that high-performing candidates thrive in critical roles that stretch their skills or demand them to develop new skills. Pushing back on or ignoring internal candidates because a role is “too critical” to fill internally tells your teams a lot about how much you value their skills and abilities. It says you don’t trust them, you don’t believe in them, and that the only jobs they’re qualified to fill are somehow less crucial. This is not how you create a culture of committed high performance.

About that skills gap…

When I see security roles open for long periods of time, it causes me to question the organization. Sure many jobs need to be filled externally, especially with growing companies that are seeking to add resources. But when there’s a role that sits open for 6 months, a year, or longer, especially if it’s a senior or leadership role, one has to ask “are there no internal high-performers who could step into that role?” The broader question becomes once again, are we experiencing a skills gap, or are we just looking for the wrong skills or in the wrong places?

** Footnote: Some may take issue with certain aspects above in the context of equal employment opportunity requirements and such. Nothing I’m suggesting above is in conflict with those requirements, I simply didn’t go the extra mile of explaining how as that a lengthy discussion on its own.

Banner: Speaking at RSA Conference 2020; Human Factor

RSA Conference Schedule

Where to find me at RSA

As I’ve announced previously through social media, I’ve received the great honor of being accepted to speak at the RSA Conference in San Francisco this year. One thing has become very apparent thus far, this is a huge networking event and everyone wants to meet up. So as my calendar gets more and more full, it’s harder to coordinate and share with others. Therefore I thought it best to share it here. Contact me if you’d like to schedule time to meet up.

DescriptionLocationTime
Monday 24-Feb
Panel: GDPR, Supply Chains, and Other Policy Game Changers AGC Partners Cyber Security Summit11:30-12:15
Panel: Power Up Your Personal Pitch She Speaks Security
Moscone West
2:00-2:50
Table Talk Discussion #3: Your Pitch She Speaks Security
Moscone West
2:50-3:05
Tuesday 25-Feb
Media InterviewsRSA Media Room
Moscone South
10:00-11:30
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find YouTrend Micro Booth #672
Moscone South Expo
1:00-1:10
Presentation in Vendor ExpoMoscone North Expo2:00-2:15
Women of Security (WoSEC) Crashes RSACMoscone South Room 3033:00-5:00
RSA Scholars DinnerPrivate5:00-9:00
Wednesday 26-Feb
Losing Our Reality: How Deepfakes Threaten Businesses and Global Markets Sandbox Stage
Moscone South
10:40-11:10
Presentation in Vendor ExpoMoscone North Expo12:30-12:45
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find You Trend Micro Booth #672
Moscone South Expo
2:00-2:10
Media InterviewsOff-Site4:30-5:00
Thursday 27-Feb
Birds of a Feather: Overcoming Candidate Skills and Diversity Gaps in Hiring Engagement Center Moscone West9:20-10:10
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find You Trend Micro Booth #672
Moscone South Expo
12:00-12:10
Braindate Session: Processes for Threat Modeling in DevSecOpsEngagement Ceter Moscone West1:00-1:40

Red sign with white lettering that reads "for hire"

It Shouldn’t Be This Hard

Why is a career in cyber security so difficult to build?

There it is again. Another headline about the cyber security skills shortage. It’s getting worse, says the author. A different article puts the number at 4 Million open jobs with no relief in sight. Training platforms market their programs in an effort address the problem. Conferences host career fairs and villages. We have volunteers doing resume reviews and interview coaching. Yet despite all this effort, studies tell us the problem is growing.

This pattern would suggest that more jobs are being created than there are people to fill them. But if that were the case, who are all the people attending these career building events? Why are there people who’ve been searching for over 12 months to find a security role? If there are 4 Million unfilled jobs, shouldn’t it impossible to locate a job seeker who hasn’t been able to get called back on their applications? Truly these people exist and look at any Mentoring Monday Twitter thread and you’ll see they exist in large numbers.

The Blame Game

When you ask these questions of people around the security community you’ll get some interesting results. Employers point their fingers at academia for not offering relevant instruction. Hiring managers blame candidates for applying to positions they’re not qualified for. Aspiring security professionals often point out that entry-level jobs are hard to come by. Seasoned professionals, like myself, point to the myriad of unrealistic job listings that discourage candidates from even applying.

With all the postulating about who and/or what is to blame, it’s hard to know if there even is really a skill shortage. I previously wrote about my belief that this shortage is overblown if not an aberration all together. Two things are certain here. One, entry-level and experienced candidates searching for jobs often spend months to a year looking for work. Two, many cyber security roles sit open for months to a year or longer.

The real costs of this problem

Businesses pay dearly as a result of this situation. There is a concept in the recruiting world known as Cost-of-Vacancy (COV). Most people understand that actively recruiting for a position costs money. However, what many fail to account for are the other costs of having an open position. These include:

Two women sitting across from a third that they appear to be interviewing.
  • Increased attrition
  • Lower productivity
  • Lost sales or renewals
  • Increased travel and other expenses

Business are not the only ones bearing the costs of the problem. Obviously, the job seekers themselves take on much of the cost. Searching for jobs costs money as well as time. Mental and physical health suffer as a result of staying in a bad situation or just the job search process itself. Even family life can suffer as a result of this increased stress and demand for time.

Finding the solution

OK, so everyone pays a price as a result of this seemingly disconnected situation between hiring organizations and job seekers. Why then don’t we have a solution? It’s time for the industry to do better and be better. Predictably, that begins with building a better understanding of the reality we face. To that end, I recently announced via social media that I teamed up with Manning Publications to write a book. The focus of this book will be building a career in cyber security. Unlike the precious few other books of its type on the market, I don’t intend to focus heavily on training strategies and technical skills. Instead, my work will take a long hard look at the human factor. I’ll address the unseen challenges and provide ways to overcome them.

With that said, my first step is research. I want to find practical answers to the problems I’ve detailed above. This is where you can help me help others. I’ve created two data gathering surveys. The first targets experienced security professionals. I want to gather insight into the journeys others have taken in their careers. The second is for aspiring professionals. In other words, those who never worked in cyber security but want to. I want to understand the problems from their perspectives. I want to learn about their experiences and the skills they bring to the table. Both surveys are quite short, only 3-5 minutes to complete, and both are completely anonymous. I’ve included the links below and would appreciate if you could spread the word. Additionally, of course, if you fit either description above, I’d love if you could complete the appropriate survey.

Improving our situation

Thank you in advance for your assistance with this. I truly believe there is much to be gained from this work. I’m teaming up with others in the industry to understand their research as well. My goal is to finally bridge the real gap that I see here. The gap between expectations of job seekers and hiring organizations. That is how I think we’ll improve our community and the digital world as a whole.

Experienced Professionals Survey: https://s.surveyplanet.com/LupYIHiV

Aspiring Security Professionals Survey: https://s.surveyplanet.com/lmI4b4fB

Source code on laptop screen with keyboard visible as well

An Exciting Start to 2020

New Year Brings Change, a New Role with a New Company

In a previous post I announced that I would be leaving my current role shortly after the new year. On New Year’s Eve it seems appropriate to share with you the other half of that story. It’s time for me to announce where I’m going and what I’ll be doing.

So let me get right to the point. I’m excited to announce that I’ll be joining Snyk Ltd. as an Application Security Advocate. Snyk develops software and performs research to help organizations find, fix, and monitor vulnerabilities in open source dependencies of their code. In my new role, I’ll be socializing strategies for how organizations can ensure security of open source dependencies. My focus will be on interaction with development and business leaders. I’ll be working to bring greater awareness of how open source challenges can be addressed.

A focus on new responsibilities
Snyk Logo on a blue background

I’m truly excited to have the opportunity to re-focus on Application Security. Those of you who know my background understand that AppSec has always been my core strength. In this new role, I’ll be primarily responsible for key activities for which I have tremendous passion. Those will include creating content and various public appearances to drive the open source security and DevSecOps message.

Passion and vision

I’m really looking forward to joining Snyk. I believe in their vision of solving the challenges around open source dependencies. Their focus on research and integration as part of a DevSecOps approach really resonates with me. Their strong and steady growth model also means that I’ll have the chance to grow my career equally as dynamically. So in the end I feel like this is the right role at the right time for me.

I appreciate all the support I’ve gotten over the last year from my security community. 2019 was a phenomenal year for me personally. I look forward to continuing my growth in 2020. Happy new year to you all and I look forward to seeing where we can take our security community in the new decade.

Page 1 of 2

Powered by WordPress & Theme by Anders Norén